SoftwareSecurity2012/Group 8/Reflection
This group is a collaboration between students from Eindhoven and Nijmegen. Besides meeting on friday's, we also met online on a regular basis. During the codescanner part of the project we divided the tools among us. Each of us looked at RIPS and the results of other tools were discussed. This way we could analyse more tools than the required two, which might have benefited us later on.
At first glance the tools produced many alerts, but in some cases (PHPLint for example) too many. Code Secure gave us a problem with the license, because it only allowed for 10000 lines of code to be analysed. We tried fixing this problem by removing the newlines. This seemed to work at first, but it resulted in Code Secure giving many errors, which could only be traced by counting the characters. So unfortunately we had to abandon this attempt. After researching the alerts that were produced by the other tools, we concluded that they were false positives.
Because we already established that the tools produced false positives, we already performed a Level 1B verification. We did however find it difficult to determine if FluxBB should pass or fail this level, because we did not get any other useful results from the tools. We then continued with a manual review of the code to assess Level 2B.
First we analysed which of the verification requirements are not within the scope of the project. For each of the remaining requirements we manually analysed the code. Then we established which functions are related to the requirements and analysed how the functions contributed to the security of FluxBB or not.
Overall we found that FluxBB was designed with security in mind and that the OWASPP requirements definitely help with verifying different security related aspects.